CVE-2025-25014Prototype Pollution in Kibana

CWE-1321Prototype PollutionCWE-908Use of Uninitialized Resource4 documents4 sources
Severity
9.8CRITICALNVD
CNA9.1
EPSS
2.5%
top 14.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Elastic Kibana
Timeline
PublishedMay 6

Description

A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5elastic/kibana8.18.08.18.1+2
NVDelastic/kibana8.3.08.17.6+2

Patches

Patch: discuss.elastic.co

🔴Vulnerability Details

2
GHSA
GHSA-xpp5-m7fr-wp25: A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints2025-05-06
CVEList
Kibana arbitrary code execution via prototype pollution2025-05-06

📋Vendor Advisories

1
Microsoft
A use of uninitialized value was found in libwebp in versions before 1.0.1 in ReadSymbol().2021-05-11
CVE-2025-25014 — Prototype Pollution in Elastic Kibana | cvebase